327 lines
8.5 KiB
Plaintext
327 lines
8.5 KiB
Plaintext
%% \documentstyle[11pt,a4]{article}
|
|
\documentstyle[11pt]{article}
|
|
%% \pagestyle{headings}
|
|
%% \pagestyle{empty}
|
|
\setlength{\textwidth}{6.5in}
|
|
\setlength{\parindent}{0in}
|
|
%% \setlength{\parskip}{\medskipamount}
|
|
\setlength{\oddsidemargin}{0in}
|
|
\setlength{\evensidemargin}{0in}
|
|
%% \setlength{\footskip}{0.2cm}
|
|
\begin{document}
|
|
|
|
\begin{center}
|
|
{\LARGE {\bf Configuring Kerberos IV on 4.4 BSD}} \\
|
|
{\it Mark Dapoz} \\
|
|
{\it $<$md@bsc.no$>$} \\
|
|
{\it Bergen Scientific Centre} \\
|
|
{\it Bergen, Norway} \\
|
|
{\it April 4th, 1994} \\
|
|
\end{center}
|
|
|
|
\section{Introduction}
|
|
|
|
The following instructions can be used as a quick guide on how to set up
|
|
kerberos as distributed in 4.4 BSD. However, you should refer to the
|
|
original Athena documentation for a complete description.
|
|
|
|
|
|
\section{Creating the initial database}
|
|
|
|
First make sure that you don't have any old kerberos databases around. You
|
|
should change to the directory {\bf /etc/kerberosIV} and check that only the
|
|
following files are present:
|
|
|
|
\begin{verbatim}
|
|
mideon# cd /etc/kerberosIV
|
|
mideon# ls
|
|
README krb.conf krb.realms register_keys
|
|
\end{verbatim}
|
|
|
|
If any additional files (such as principal.dir) exist, then use the
|
|
{\bf kdb\_destroy} command to destroy the old kerberos database.\\
|
|
|
|
You should now edit the {\bf krb.conf} and {\bf krb.realms} files to define
|
|
your kerberos realm. In this case the realm will be {\it BSC.NO} and
|
|
the server is {\it mideon.bsc.no}. We would edit the {\bf krb.conf}
|
|
file to be as follows:
|
|
|
|
\begin{verbatim}
|
|
mideon# cat krb.conf
|
|
BSC.NO
|
|
BSC.NO mideon.bsc.no admin server
|
|
CS.BERKELEY.EDU okeeffe.berkeley.edu
|
|
ATHENA.MIT.EDU kerberos.mit.edu
|
|
ATHENA.MIT.EDU kerberos-1.mit.edu
|
|
ATHENA.MIT.EDU kerberos-2.mit.edu
|
|
ATHENA.MIT.EDU kerberos-3.mit.edu
|
|
LCS.MIT.EDU kerberos.lcs.mit.edu
|
|
TELECOM.MIT.EDU bitsy.mit.edu
|
|
ARC.NASA.GOV trident.arc.nasa.gov
|
|
\end{verbatim}
|
|
|
|
Now we have to add mideon.bsc.no to the BSC.NO realm and also add an entry
|
|
to put all hosts in the .bsc.no domain in the BSC.NO realm. The
|
|
{\bf krb.realms} file would be updated as follows:
|
|
|
|
\begin{verbatim}
|
|
mideon# cat krb.realms
|
|
mideon.bsc.no BSC.NO
|
|
.bsc.no BSC.NO
|
|
.berkeley.edu CS.BERKELEY.EDU
|
|
.MIT.EDU ATHENA.MIT.EDU
|
|
.mit.edu ATHENA.MIT.EDU
|
|
\end{verbatim}
|
|
|
|
Now we're ready to create the database, issue the {\bf kdb\_init} command
|
|
to do this:
|
|
|
|
\begin{verbatim}
|
|
mideon# kdb_init
|
|
Realm name [default CS.BERKELEY.EDU ]: BSC.NO
|
|
You will be prompted for the database Master Password.
|
|
It is important that you NOT FORGET this password.
|
|
|
|
Enter Kerberos master key:
|
|
\end{verbatim}
|
|
|
|
Now we have to save the key so that servers on the local machine can pick
|
|
it up. Use the {\bf kstash} command to do this.
|
|
|
|
\begin{verbatim}
|
|
mideon# kstash
|
|
|
|
Enter Kerberos master key:
|
|
|
|
Current Kerberos master key version is 1.
|
|
|
|
Master key entered. BEWARE!
|
|
\end{verbatim}
|
|
|
|
\section{Populating the database}
|
|
|
|
We now have to add some entries into the database. First lets create an
|
|
entry for the user {\it md}. Use the {\bf kdb\_edit} command to do this:
|
|
|
|
\begin{verbatim}
|
|
mideon# kdb_edit
|
|
Opening database...
|
|
|
|
Enter Kerberos master key:
|
|
|
|
Current Kerberos master key version is 1.
|
|
|
|
Master key entered. BEWARE!
|
|
Previous or default values are in [brackets] ,
|
|
enter return to leave the same, or new value.
|
|
|
|
Principal name: md
|
|
Instance:
|
|
md. not found, Create [y] ?
|
|
Principal: md, Instance: , kdc_key_ver: 1
|
|
New Password:
|
|
New Password:
|
|
|
|
Principal's new key version = 1
|
|
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
|
|
Max ticket lifetime (*5 minutes) [ 255 ] ? 100
|
|
Attributes [ 0 ] ?
|
|
Edit O.K.
|
|
\end{verbatim}
|
|
|
|
Now lets add an entry for the password changing daemon, kpasswd. The
|
|
principal name must be {\it kpasswd} and the instance must be the name of
|
|
the local machine, {\it mideon} in this case. Similarily, we must also add
|
|
an entry for the principal {\it rcmd} with an instance equal to the
|
|
hostname of the local machine.
|
|
|
|
\begin{verbatim}
|
|
Principal name: kpasswd
|
|
Instance: mideon
|
|
kpasswd.mideon not found, Create [y] ?
|
|
Principal: kpasswd, Instance: mideon, kdc_key_ver: 1
|
|
New Password: <---- enter RANDOM here
|
|
New Password: <---- and here
|
|
Random password [y] ?
|
|
|
|
Principal's new key version = 1
|
|
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
|
|
Max ticket lifetime (*5 minutes) [ 255 ] ?
|
|
Attributes [ 0 ] ?
|
|
Edit O.K.
|
|
Principal name: rcmd
|
|
Instance: mideon
|
|
rcmd.mideon not found, Create [y] ?
|
|
Principal: rcmd, Instance: mideon, kdc_key_ver: 1
|
|
New Password: <---- enter RANDOM here
|
|
New Password: <---- and here
|
|
Random password [y] ?
|
|
|
|
Principal's new key version = 1
|
|
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
|
|
Max ticket lifetime (*5 minutes) [ 255 ] ?
|
|
Attributes [ 0 ] ?
|
|
Edit O.K.
|
|
Principal name: <---- null entry here will cause an exit
|
|
\end{verbatim}
|
|
|
|
\section{Creating the server file}
|
|
|
|
We now have to extract all the instances which define the services on this
|
|
machine. For this we use the {\bf ext\_srvtab} command.
|
|
|
|
\begin{verbatim}
|
|
mideon# ext_srvtab mideon
|
|
|
|
Enter Kerberos master key:
|
|
|
|
Current Kerberos master key version is 1.
|
|
|
|
Master key entered. BEWARE!
|
|
Generating 'mideon-new-srvtab'....
|
|
\end{verbatim}
|
|
|
|
Now, this command only generates a temporary file which must be renamed
|
|
to {\bf srvtab} so that all the server can pick it up. Use the mv command to
|
|
move it into place:
|
|
|
|
\begin{verbatim}
|
|
mideon# mv mideon-new-srvtab srvtab
|
|
\end{verbatim}
|
|
|
|
\section{Testing it all out}
|
|
|
|
First we have to start the kerberos daemon:
|
|
|
|
\begin{verbatim}
|
|
mideon# kerberos &
|
|
[1] 774
|
|
mideon# Kerberos server starting
|
|
Sleep forever on error
|
|
Log file is /var/log/kerberos.log
|
|
Current Kerberos master key version is 1.
|
|
|
|
Master key entered. BEWARE!
|
|
|
|
Current Kerberos master key version is 1
|
|
Local realm: BSC.NO
|
|
\end{verbatim}
|
|
|
|
Now we can try using the {\bf kinit} command to get tokens for the id
|
|
{\it md} that we created above:
|
|
|
|
\begin{verbatim}
|
|
mideon# kinit md
|
|
Kerberos Initialization for "md"
|
|
Kerberos Password:
|
|
\end{verbatim}
|
|
|
|
Try listing the tokens using {\bf klist} to see if we really have them:
|
|
|
|
\begin{verbatim}
|
|
mideon# klist
|
|
Ticket file: /tmp/tkt0
|
|
Principal: md@BSC.NO
|
|
|
|
Issued Expires Principal
|
|
Mar 23 21:06:52 Mar 24 05:06:52 krbtgt.BSC.NO@BSC.NO
|
|
\end{verbatim}
|
|
|
|
And now try changing the password using {\bf passwd} to check if the
|
|
kpasswd daemon can get authorisation to the kerberos database:
|
|
|
|
\begin{verbatim}
|
|
mideon# passwd md
|
|
Changing Kerberos password for md.@BSC.NO.
|
|
Old Kerberos password:
|
|
New Kerberos password:
|
|
Retype new Kerberos password:
|
|
Update complete.
|
|
\end{verbatim}
|
|
|
|
\section{Adding su priviledges}
|
|
|
|
We should now add an id which is authorised to su to root. This is
|
|
controlled by having an instance of {\it root} associated with a principal.
|
|
Using {\bf kdb\_edit} we can create the entry {\it md.root} in the kerberos
|
|
database:
|
|
|
|
\begin{verbatim}
|
|
mideon# kdb_edit
|
|
Opening database...
|
|
|
|
Enter Kerberos master key:
|
|
|
|
Current Kerberos master key version is 1.
|
|
|
|
Master key entered. BEWARE!
|
|
Previous or default values are in [brackets] ,
|
|
enter return to leave the same, or new value.
|
|
|
|
Principal name: md
|
|
Instance: root
|
|
md.admin not found, Create [y] ?
|
|
Principal: md, Instance: admin, kdc_key_ver: 1
|
|
New Password:
|
|
New Password:
|
|
|
|
Principal's new key version = 1
|
|
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
|
|
Max ticket lifetime (*5 minutes) [ 255 ] ? 12
|
|
Attributes [ 0 ] ?
|
|
Edit O.K.
|
|
Principal name:
|
|
\end{verbatim}
|
|
|
|
Now try getting tokens for it to make sure it works:
|
|
|
|
\begin{verbatim}
|
|
mideon# kinit md.root
|
|
Kerberos Initialization for "md.root"
|
|
Kerberos Password:
|
|
\end{verbatim}
|
|
|
|
And list them to check expiry times:
|
|
|
|
\begin{verbatim}
|
|
mideon# klist
|
|
Ticket file: /tmp/tkt0
|
|
Principal: md.root@BSC.NO
|
|
|
|
Issued Expires Principal
|
|
Mar 23 21:08:47 Mar 23 22:08:47 krbtgt.BSC.NO@BSC.NO
|
|
mideon#
|
|
\end{verbatim}
|
|
|
|
Now we need to add the user to root's {\bf .klogin} file:
|
|
|
|
\begin{verbatim}
|
|
mideon# cat /root/.klogin
|
|
md.root@BSC.NO
|
|
\end{verbatim}
|
|
|
|
Now try doing the su:
|
|
|
|
\begin{verbatim}
|
|
[md@mideon.bsc.no 10407] su
|
|
Kerberos Password:
|
|
Warning: tgt not verified.
|
|
\end{verbatim}
|
|
|
|
and take a look at what tokens we have:
|
|
|
|
\begin{verbatim}
|
|
mideon# klist
|
|
Ticket file: /tmp/tkt_root_1250
|
|
Principal: md.root@BSC.NO
|
|
|
|
Issued Expires Principal
|
|
Mar 23 22:09:59 Mar 23 22:19:59 krbtgt.BSC.NO@BSC.NO
|
|
mideon#
|
|
\end{verbatim}
|
|
|
|
Notice that with this setup each user has their own entry for su'ing to
|
|
root (the {\it user}.root entry in kerberos). This can allow you to give root
|
|
access to multiple users without the need to share a common root password.
|
|
\end{document}
|